Post on 17-Jan-2016
Andy Malone MVP,MCT, Technology EvangelistAndy Malone MVP,MCT, Technology EvangelistQuality Training (Scotland) Ltd & Microsoft (UK)Quality Training (Scotland) Ltd & Microsoft (UK)Andrew.malone@quality-training.co.ukhttp://blogs.quality-training.co.uk/blog
What’s New & Exciting in Windows Server 2008! – Part 2
Part 2 will cover!Part 2 will cover!
Terminal Services! What is it and why you need it!Terminal Services! What is it and why you need it!
Deploying Terminal ServicesDeploying Terminal Services
Understanding TS Licensing & TS Session Broker!Understanding TS Licensing & TS Session Broker!
Deploying TS Remote Programs!Deploying TS Remote Programs!
TS Web AccessTS Web Access
Security Update: ADRMS & Other Stuff!Security Update: ADRMS & Other Stuff!
Conclusions!Conclusions!
Terminal Services Update!Terminal Services Update!
Looks Good but What can it do for me?Looks Good but What can it do for me?
Benefits & Uses of Terminal Benefits & Uses of Terminal ServicesServices
Who should use Terminal Who should use Terminal Services?Services?
Terminal Services Installation, Terminal Services Installation, Configuration & ManagementConfiguration & Management
New Features for Security, New Features for Security, Manageability & ScalabilityManageability & Scalability
Mobile WorkerMobile WorkerIn AirportIn Airport
Branch OfficeBranch Office
Home OfficeHome Office
Central LocationCentral Location
TS System ConfigurationTS System Configuration
Terminal Services Configuration MMC snap-inTerminal Services Configuration MMC snap-in
Local Group Policy or Group Policy from ADLocal Group Policy or Group Policy from AD
Local registryLocal registryHKLM \SYSTEM \CurrentControlSet \Control \Terminal HKLM \SYSTEM \CurrentControlSet \Control \Terminal ServerServer
HKLM \SYSTEM \CurrentControlSet \Services \TermDD or \HKLM \SYSTEM \CurrentControlSet \Services \TermDD or \TermService or \tssecsrv (don’t touch!)TermService or \tssecsrv (don’t touch!)
HKLM \SOFTWARE \Microsoft \Windows NT \HKLM \SOFTWARE \Microsoft \Windows NT \CurrentVersion \Terminal ServerCurrentVersion \Terminal Server
HKLM \Software \Microsoft \Windows NT \CurrentVersion \HKLM \Software \Microsoft \Windows NT \CurrentVersion \WinlogonWinlogon
......
Installing Terminal Services!Installing Terminal Services!
Enabling Terminal Services on Server Enabling Terminal Services on Server Core!Core!
Command LineCommand LineRemote Admin modeRemote Admin mode
Cscript scregedit.wsf /ar 0Cscript scregedit.wsf /ar 0
Allow pre-Vista/Windows Server 2008 clientsAllow pre-Vista/Windows Server 2008 clientsCscript scregedit.wsf /cs 0Cscript scregedit.wsf /cs 0Reboot for the computer name change to take effect Reboot for the computer name change to take effect shutdown /t 0 /rshutdown /t 0 /r
TS – Server Core Unattend File!TS – Server Core Unattend File!
UnattendUnattendRemote Admin mode in the <settings pass="specialize"> section Remote Admin mode in the <settings pass="specialize"> section add:add:
<component name="Microsoft-Windows-TerminalServices-<component name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" language="neutral" versionScope="nonSxS" processorArchitecture="x86">processorArchitecture="x86">
<fDenyTSConnections>false</<fDenyTSConnections>false</fDenyTSConnections>fDenyTSConnections></component></component>
To allow pre-Vista/Windows Server 2008 clientsTo allow pre-Vista/Windows Server 2008 clientsIn the <settings pass="specialize"> section add:In the <settings pass="specialize"> section add:
<component name="Microsoft-Windows-TerminalServices-RDP-<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" language="neutral" versionScope="nonSxS" processorArchitecture="x86">processorArchitecture="x86">
<UserAuthentication>0</UserAuthentication><UserAuthentication>0</UserAuthentication></component></component>
Terminal Services Licensing!Terminal Services Licensing!
Obtaining Client Access LicensesObtaining Client Access Licenses
11 22Connects Requests License
Terminal Server
License Server
Delivers License
3344
TS Per Device CALs
11 22Connects Requests License
TerminalServer
License Server
Stores License3344
Active Directory Domain Services
TS Per User CALs (AD)
TS LicensingTS Licensing
Clearing House
LicenseServer
TerminalServices
Client
TerminalServers
Certificate
Understanding what the Terminal Server Understanding what the Terminal Server Session Broker does!Session Broker does!
Load Balancing The options!Load Balancing The options!
DNS Round RobinDNS Round Robin
Microsoft Network Load Balancing (NLB)Microsoft Network Load Balancing (NLB)
TS Session BrokerTS Session Broker
Standalone TS Vs TS FarmStandalone TS Vs TS Farm
Standalone Instance
Farm
Load BalancingLoad Balancing
TS A (10.0.0.2)
TS B (10.0.0.3)
TS C (10.0.0.4)
Session Broker
DNS
Load BalancingLoad Balancing
10.0.0.2 MyFarm.com 10.0.0.2 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.4 MyFarm.com 10.0.0.4 MyFarm.com
TS A (10.0.0.2)
TS B (10.0.0.3)
TS C (10.0.0.4)
Session Broker
DNS
Load BalancingLoad Balancing
10.0.0.2 MyFarm.com 10.0.0.2 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.4 MyFarm.com 10.0.0.4 MyFarm.com
TS A (10.0.0.2)
TS B (10.0.0.3)
TS C (10.0.0.4)
Session Broker
10.0.0.2 MyFarm.com 10.0.0.2 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.4 MyFarm.com 10.0.0.4 MyFarm.com
DNS
Load BalancingLoad Balancing
10.0.0.2 MyFarm.com 10.0.0.2 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.4 MyFarm.com 10.0.0.4 MyFarm.com
DNSTS A (10.0.0.2)
TS B (10.0.0.3)
TS C (10.0.0.4)
Session Broker
10.0.0.2 MyFarm.com 10.0.0.2 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.4 MyFarm.com 10.0.0.4 MyFarm.com
TS Load Balancing Limitations!TS Load Balancing Limitations!
You can not Load Balance Remote Programs.... just Published You can not Load Balance Remote Programs.... just Published Desktops. Desktops.
Load balancing is based on sessions only. So, no advanced Load balancing is based on sessions only. So, no advanced load evaluators. The full feature set of 2008 TS now looks like load evaluators. The full feature set of 2008 TS now looks like this: this:
TS Gateway TS Gateway
TS Remote Programs TS Remote Programs
TS Web Access TS Web Access
WRSM For Terminal Servers WRSM For Terminal Servers
TS Easy Print TS Easy Print
TS Session Broker Load Balancing TS Session Broker Load Balancing
Configuring TS Session BrokerConfiguring TS Session BrokerConfiguring TS Session BrokerConfiguring TS Session Broker
Deploying Remote Applications!Deploying Remote Applications!
Terminal Services RemoteAppTerminal Services RemoteApp
MSI packages provide MSI packages provide setup and deployment setup and deployment integrationintegration
Active Directory Group Active Directory Group PolicyPolicy
Systems Management Systems Management ServerServer
ManuManuaall
Shortcuts published toShortcuts published toDesktopDesktop
Start menuStart menu
Add/remove programsAdd/remove programsWinSrv 2008Terminal Server
AD
PublishPublish
Push GP-published Push GP-published applicationsapplications
PublishPublishmanuallymanually
RDP 6 Client
Terminal Services Remote Programs Terminal Services Remote Programs Deployment TipsDeployment Tips
Put common applications on same serverPut common applications on same serveri.e. Microsoft Office Family (Use VLE)i.e. Microsoft Office Family (Use VLE)
Consider putting individual applications on separate Consider putting individual applications on separate servers when:servers when:
Application has compatibility issuesApplication has compatibility issues
A single application and associated users may fill server A single application and associated users may fill server capacitycapacity
Create load-balanced ‘farm’ for single applications that Create load-balanced ‘farm’ for single applications that exceed 1 serverexceed 1 server
Use Microsoft SoftGrid to improve server usage and Use Microsoft SoftGrid to improve server usage and application compatibilityapplication compatibility
Terminal Services App AnalyzerTerminal Services App Analyzer
Tool detecting incompatible app behaviorTool detecting incompatible app behavior1.1. Shared resources – files/registry objectsShared resources – files/registry objects
2.2. Access/privilege issues Access/privilege issues
3.3. Future: Windows API calls with special cases for TSFuture: Windows API calls with special cases for TS
Requires the downloadand the installation of Application Verifier
TS Remote Applications!TS Remote Applications!TS Remote Applications!TS Remote Applications!
Terminal Server Web AccessTerminal Server Web Access
What is TS Web What is TS Web Access?Access?
What are the benefits?What are the benefits?
What are the Server What are the Server requirements?]requirements?]
What are the client What are the client requirements?requirements?
Mobile WorkerMobile WorkerIn AirportIn Airport
Branch OfficeBranch Office
Home OfficeHome Office
TS Web Access
Terminal Server Web AccessTerminal Server Web Access
Windows Server 2008Terminal Servers
Active Directory
SessionDirectory
LonghornRDP Client
LoadBalancer
TSWeb Access
HTTPs
RDP
AD Mode
Single Server Mode
Terminal Server Web AccessTerminal Server Web Access
Terminal Server Web AccessTerminal Server Web AccessTerminal Server Web AccessTerminal Server Web Access
Security Update!Security Update!Rights Management & More....Rights Management & More....
Emphasis is placed on perimeter based security Emphasis is placed on perimeter based security mechanisms, which block unauthorized accessmechanisms, which block unauthorized access
Transit-based security (Email encryption, IPSec, etc.) Transit-based security (Email encryption, IPSec, etc.) only protects the content while it is moving from one only protects the content while it is moving from one place to anotherplace to another
ACLs also effective for limiting accessACLs also effective for limiting access
However, these mechanisms are powerless to stop However, these mechanisms are powerless to stop data that has been accessed by authorized data that has been accessed by authorized individuals from ‘leaking’ out of the organization via individuals from ‘leaking’ out of the organization via email, print, or copy/pasteemail, print, or copy/paste
Firewalls and ACLs aren't EnoughFirewalls and ACLs aren't Enough
Government and Industry ComplianceGovernment and Industry Compliance
Many Governmental compliance rules Many Governmental compliance rules (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) require that measures are put into place to require that measures are put into place to safeguard digital informationsafeguard digital information
Expiration of content required for many other Expiration of content required for many other industry and governmental regulationsindustry and governmental regulations
IDA Review: Microsoft ApproachIDA Review: Microsoft Approach
A comprehensive set of IDA platform technologies and applications
Complemented by a broad international partner program
DirectoryServices
StrongAuthentication
FederatedIdentity
InformationProtection
Microsoft SolutionFocus Areas
IdentityLifecycle Mgmt
MicrosoftOffice Windows Web
Portals CardSpace
Extensibility20+ Connectors WS-*
ILM PartnersIDAManagementCapabilities
User andDeveloperExperiences
AD Domain Services
AD Federation Services
AD Rights Management Services
AD CertificateServices
BizTalk .NET Visual Studio ILM SDK
PlatformComponents
IDA Review: Platform ComponentsIDA Review: Platform Components
MicrosoftOffice Windows Web
Portals CardSpace
Extensibility20+ Connectors WS-*
ILM PartnersIDAManagementCapabilities
User andDeveloperExperiences
Part of the Windows Server 2008 licensePart of the Windows Server 2008 licenseMicrosoft Active Directory Domain ServicesMicrosoft Active Directory Domain Services
Microsoft Active Directory Certificate ServicesMicrosoft Active Directory Certificate Services
Microsoft Active Directory Federation ServicesMicrosoft Active Directory Federation Services
Premium ProductsPremium ProductsActive Directory Rights Management ServiceActive Directory Rights Management Service
Identity Lifecycle Manager 2007Identity Lifecycle Manager 2007
DirectoryServices
StrongAuthentication
FederatedIdentity
InformationProtection
Microsoft SolutionFocus Areas
IdentityLifecycle Mgmt
AD Domain Services
AD Federation Services
AD Rights Management Services
AD CertificateServices
BizTalk .NET Visual Studio ILM SDK
PlatformComponents
Extensibility
ILM PartnersIDAManagementCapabilities
Document Author can define who do the Document Author can define who do the following:following:
View documentView document
Edit documentEdit document
Print documentPrint document
Copy/PasteCopy/Paste
RMS Gives Authors ControlRMS Gives Authors Control
1.1. On first use, authors On first use, authors receive client licensor receive client licensor certificate from RMS certificate from RMS serverserver
2.2. Author creates content Author creates content and assigns rightsand assigns rights
3.3. File is distributed to File is distributed to recipient(s)recipient(s)
4.4. Recipient opens file, Recipient opens file, and their RMS client and their RMS client contacts server for user contacts server for user validation and to obtain validation and to obtain a licensea license
5.5. Application opens the Application opens the file and enforces the file and enforces the restrictionsrestrictions
How RMS WorksHow RMS Works
It can’t stop a determined information thiefIt can’t stop a determined information thief
It can’t stop a person from taking digital picturesIt can’t stop a person from taking digital pictures
It can’t stop a third-party screenshot utility from It can’t stop a third-party screenshot utility from taking pictures of the contenttaking pictures of the content
It can’t use an existing PKI implementationIt can’t use an existing PKI implementation
A deployed RMS server is NOT the root, Microsoft is A deployed RMS server is NOT the root, Microsoft is the root authority.the root authority.
For an internal solution to be effective, there needs For an internal solution to be effective, there needs to be access to the RMS server from wherever to be access to the RMS server from wherever documents will be accesseddocuments will be accessed
What RMS cannot do…What RMS cannot do…
Windows Rights Management ClientWindows Rights Management ClientIncluded in Windows VistaIncluded in Windows Vista
Windows RMS SP2 Client x86 (Supports XP, 2003 Windows RMS SP2 Client x86 (Supports XP, 2003 Server, Windows 2000)Server, Windows 2000)
Windows RMS SP2 Client x64Windows RMS SP2 Client x64
Windows RMS SP2 Client IA64Windows RMS SP2 Client IA64
Rights Management Add-on for Internet ExplorerRights Management Add-on for Internet Explorer
Office client supportOffice client supportOffice 2003Office 2003
Office 2007Office 2007
RMS Client PrerequisitesRMS Client Prerequisites
Setting User Permissions!Setting User Permissions!
Rights Management!Rights Management!Rights Management!Rights Management!
Sounds ok, but why do I need this stuff Sounds ok, but why do I need this stuff anyway?anyway?
Ok Real World Security Examples!Ok Real World Security Examples!
Time for Some Inside Information!Time for Some Inside Information!
Google HackingGoogle Hacking
Various usernames and passwords (both encrypted Various usernames and passwords (both encrypted and in plain text) and in plain text)
Internal documents Internal documents
Internal site statistics Internal site statistics
Intranet access Intranet access
Database access Database access
Mail server access Mail server access
And much, much moreAnd much, much more
Google Hacking Examples!Google Hacking Examples!
Site:com filetype:xls "Accounts"Site:com filetype:xls "Accounts"
site:gov.uk filetype:xls userssite:gov.uk filetype:xls users
site:gov.uk filetype:doc staffsite:gov.uk filetype:doc staff
site:gov.uk filetype:ini WS_FTP PWDsite:gov.uk filetype:ini WS_FTP PWD
site:gyhs.co.uk "index of /" password.txtsite:gyhs.co.uk "index of /" password.txt
site:co.uk "index of /" +passwdsite:co.uk "index of /" +passwd
site:dk +hotel filetype:xlssite:dk +hotel filetype:xls
site:com +password filetype:xlssite:com +password filetype:xls
Inurl:admin users passwordsInurl:admin users passwords
inurl:admin intitle:index.ofinurl:admin intitle:index.of
"Microsoft-IIS/5.0 Server at""Microsoft-IIS/5.0 Server at" intitle:index.ofintitle:index.of
What the Bad Guys Use!What the Bad Guys Use!Google Hacking!Google Hacking!What the Bad Guys Use!What the Bad Guys Use!Google Hacking!Google Hacking!
What the Bad Guys Use!What the Bad Guys Use!Goolag!Goolag!What the Bad Guys Use!What the Bad Guys Use!Goolag!Goolag!
Don’t Get Google Hacked!Don’t Get Google Hacked!
Keep sensitive information off the internet. Keep sensitive information off the internet.
Be careful how you write your scripts and access Be careful how you write your scripts and access your databases. your databases.
Use robots.txt to let Google know what parts of Use robots.txt to let Google know what parts of your website it is ok to index. Specify which parts your website it is ok to index. Specify which parts of the website are “off bounds”. of the website are “off bounds”.
Ensure directory rights on your web server are in Ensure directory rights on your web server are in order. order.
Monitor your site for common errors. Monitor your site for common errors.
““Google hack” your own website. Google hack” your own website.
Create a Robots.txtCreate a Robots.txt
Time to Snoop!Time to Snoop!
What The Bad Guys Use!What The Bad Guys Use!BidiBlah!BidiBlah!What The Bad Guys Use!What The Bad Guys Use!BidiBlah!BidiBlah!
Undetectable & Unbreakable EncryptionUndetectable & Unbreakable Encryption!!
Creates a virtual encrypted disk Creates a virtual encrypted disk within a file and mounts it as a real within a file and mounts it as a real disk. disk.
Encrypts an entire partition or Encrypts an entire partition or storage device such as USB flash storage device such as USB flash drive or hard drive.drive or hard drive.
Encryption is automatic, real-time Encryption is automatic, real-time (on-the-fly) and transparent.(on-the-fly) and transparent.
Provides two levels of plausible Provides two levels of plausible deniability, in case an adversary deniability, in case an adversary forces you to reveal the password:forces you to reveal the password:
Hidden volume (steganography) Hidden volume (steganography) and hidden operating system.and hidden operating system.
No TrueCrypt volume can be No TrueCrypt volume can be identified (volumes cannot be identified (volumes cannot be distinguished from random data).distinguished from random data).
Encryption algorithms: AES-256, Encryption algorithms: AES-256, Serpent, and Twofish. Mode of Serpent, and Twofish. Mode of operation: XTS. operation: XTS.
What the bad guys use!What the bad guys use!True Crypt! & HashTabTrue Crypt! & HashTabWhat the bad guys use!What the bad guys use!True Crypt! & HashTabTrue Crypt! & HashTab
SteganographySteganography
The basic idea behind this The basic idea behind this solution is that one "borrows" the solution is that one "borrows" the least significant bit of the red least significant bit of the red value in a BMP to store 1/8 of a value in a BMP to store 1/8 of a character. character.
The bitmap gets slightly distorted The bitmap gets slightly distorted (zero or 1/256 red color change), (zero or 1/256 red color change), but it isn't noticeable in BMP's but it isn't noticeable in BMP's with 16, 24 or 32-bit colors. Even with 16, 24 or 32-bit colors. Even with a plain, white BMP created with a plain, white BMP created with Paint you can't see it. with Paint you can't see it.
A Character #0 in the input string A Character #0 in the input string is the EOL indicator. It is added is the EOL indicator. It is added as the input text is cast to a as the input text is cast to a PChar.PChar.Maximum message size would Maximum message size would be:be:
What the bad guys use!What the bad guys use!Stenography!Stenography!What the bad guys use!What the bad guys use!Stenography!Stenography!
This Session Covered!This Session Covered!
Terminal Services! What is it and why you need it!Terminal Services! What is it and why you need it!
Deploying Terminal ServicesDeploying Terminal Services
Understanding TS Licensing & TS Session Broker!Understanding TS Licensing & TS Session Broker!
Deploying TS Remote Programs!Deploying TS Remote Programs!
TS Web AccessTS Web Access
Security Update: ADRMS & Other Stuff!Security Update: ADRMS & Other Stuff!
Conclusions!Conclusions!
Thank you for attending
Thank you for attending this TechNet Event
Find these slides at:http://www.microsoft.com/uk/technetslides